Reports emerged this week about a spam-producing Android botnet, but is this really an Android problem?

As outlined by PCMag's Security Watch, researchers from Microsoft and Sophos on Wednesday said they had found the first instance of an Android botnet. The spam messages included the signature, "Sent from Yahoo! Mail on Android," prompting Microsoft researcher Terry Zink to conclude that "a spammer has control of a botnet that lives on Android devices."

Later that day, however, Lookout Security said "a more plausible explanation for this behavior appears to be insecure Android applications."

Lookout said the information provided by Microsoft and Sophos was not enough to "definitively identify" the cause of the spam because the data is "easily replicable."

"After taking a detailed look at the app, we've found a number of issues that have potentially broader implications for all Android users of Yahoo! Mail," Lookout continued. "In the interest of responsible disclosure, we cannot at this time provide details around such vulnerabilities."

Microsoft's Zink and Sophos's Wisniewski have since published follow-up posts. Zink conceded that it's "entirely possible" that a bot on a compromised PC connected to Yahoo Mail inserted the Android tagline in an effort to dupe people into thinking it came from Android devices.

"On the other hand, the other possibility is that Android malware has become much more prevalent and because of its ubiquity, there is sufficient motivation for spammers to abuse the platform. The reason these messages appear to come from Android devices is because they did come from Android devices," he said.

Zink said he considered both options before publishing his data and "selected the latter."

In his own post, Wisniewski said he "didn't make it clear that we do not have a malware sample that does this, simply evidence that strongly suggests it is happening."

Wisniewski said he has "no evidence" of message forgery. "The messages are delivered to our spam traps from genuine Yahoo! servers with valid DKIM signatures," he wrote.

Wisniewski conceded that "we don't know the answer right now," but said "the evidence suggests it is Android malware and there isn't a good reason to think that pretending it is from Yahoo! via Android devices is of any benefit to the spammers."

For its part, Google is in the "infected PC" camp, according to the BBC. Yahoo has not yet responded to a request for comment.

About the Author

Before joining PCMag.com, Chloe covered financial IT for Incisive Media in NYC and technology policy for The National Journal's Technology Daily in Washington, DC. She has held internships at NBC's Meet the Press, washingtonpost.com, the Tate Gallery press office in London, Roll Call, and Congressional Quarterly. She graduated with a bachelor's deg... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.